Big Data Security Analytics , Governance & Risk Management , Next-Generation Technologies & Secure Development

German Antitrust Office Restricts Facebook Data Processing

Facebook Must Obtain Consent to Combine User Data From Different Sources
German Antitrust Office Restricts Facebook Data Processing

This story has been updated with comment from Facebook.

See Also: Take Inventory of Your Medical Device Security Risks

Germany's competition authority on Thursday issued a decision that prohibits Facebook from combining user data from different sources unless it first gains a user's explicit consent.

The Bundeskartellamt, or Federal Cartel Office, in its antitrust decision says that Facebook will not be allowed to make using its service contingent on an individual having to agree that Facebook can gather and use the individual's data however the social network pleases. The decision has not yet gone into effect.

The competition authority says that Facebook's ability to combine data from its WhatsApp and Instagram services, as well as third-party sites, has helped it to achieve market dominance.

"With regard to Facebook's future data processing policy, we are carrying out what can be seen as an internal divestiture of Facebook's data," says Andreas Mundt, president of the Bundeskartellamt. "In the future, Facebook will no longer be allowed to force its users to agree to the practically unrestricted collection and assigning of non-Facebook data to their Facebook user accounts."

Facebook has one month to appeal the decision to the Düsseldorf Higher Regional Court. If the decision proceeds, the technology giant will have 12 months to comply.

Later on Thursday, Facebook said it plans to appeal the decision, noting that it has been in discussions with the Bundeskartellamt for more than two years. "Using information across services helps to make them better and protect people's safety," said Facebook's Yvonne Cunnane, head of data protection in Ireland, and Nikhil Shanbhag, director and associate general counsel, in a blog post titled "Why We Disagree With the Bundeskartellamt."

Data Collection is a Business

In December 2018, Facebook had 1.52 billion daily active users and 2.32 billion monthly active users.

In Germany, Facebook faces no serious social media challenger, the Bundeskartellamt says. Facebook commands a market share of 95 percent of daily active social media users and more than 80 percent of monthly social media users, it says. Google's rival Google+ social network has announced that it will shutter in April, except for corporate versions.

"We are carrying out what can be seen as an internal divestiture of Facebook's data."
—Andreas Mundt, Bundeskartellamt

Germany's competition authority says Facebook's WhatsApp service has more than 1 billion users worldwide, including up to 60 million daily active users in Germany, while Instagram has more than 500 million daily users worldwide and up to 20 million daily users in Germany. The Bundeskartellamt says "the additional data flow is substantial" from all of these services.

The regulator acknowledges that collecting data is essential to running a social network as well as any data-driven business, and users know this type of data will be collected.

But Facebook now requires users to allow it "to collect an almost unlimited amount of any type of user data from third-party sources, allocate these to the users' Facebook accounts and use them for numerous data processing processes," it says. For example, for third-party sites that include Facebook's "Like" or "Share" buttons, data begins flowing to these sites whenever a Facebook user visits.

"Calling up a website with an embedded 'Like' button will start the data flow. Millions of such interfaces can be encountered on German websites and on apps," the regulator says, noting that on many more sites that use the 'Facebook Analytics' service in the background, these data flows will not be visible to users.

"Unregulated data capitalism inevitably creates unfair conditions."
—Marc Al-Hames, Cliqz

The regulator proposes that Facebook still be allowed to combine data on users - drawing on Facebook, Instagram and WhatsApp, as well as third-party sources - provided it gains an individual's voluntary consent to do so (see: Facebook Gets Its First Real Privacy Penalty - From Apple).

"Voluntary consent means that the use of Facebook's services must not be subject to the users' consent to their data being collected and combined in this way," Mundt says. "If users do not consent, Facebook may not exclude them from its services and must refrain from collecting and merging data from different sources."

Regulations for 'Data Capitalism'

Some privacy watchers have applauded the Bundeskartellamt's move to prohibit organizations from blocking users unless they agree to give a social network the ability to gather and process their personal data in unlimited ways.

"Unregulated data capitalism inevitably creates unfair conditions," says Marc Al-Hames, general manager of Cliqz, a German developer of data protection technologies - including Ghostery anti-tracking software - that is owned by Hubert Burda Media and Mozilla.

"Just look at Facebook's messenger WhatsApp: It's simply indispensable for many young people today," he says. "This is where conversations and friendships are happening. If you want to be a part of it, you have to join. Social media create social pressure. And Facebook exploits this mercilessly: Give me your data or you're an outsider. That's clearly an abuse of a dominant market position."

Alphabet Dominates Data Collection

In terms of raw user data collection, Al-Hames notes that statistics gathered by the company's software find that one-quarter of websites that users visit have Facebook analytics software embedded. But he says the dominant data collector remains Alphabet, the parent company of Google (see: Fresh GDPR Complaints Take Aim at Targeted Advertising).

"With Google search, the Android operating system, the Play Store app sales platform and the Chrome browser, the internet giant collects data on virtually everyone in the Western world," Al-Hames says, noting that Alphabet's trackers appear on almost 80 percent of all page loads the company's users encounter.

Top 5 Web Trackers in Germany

Shown above: reach, defined as the proportion of web pages that load with at least one tracking script from the designated vendor. (Source: Clicz and Ghostery statistics collected on Jan. 12, 2019.)

Antitrust or Privacy Domain?

But the Information Technology and Innovation Foundation, a nonprofit and nonpartisan think tank based in Washington, has accused the Bundeskartellamt of muddling antitrust and data privacy concerns. It says the latter should remain the domain of the EU's General Data Protection Regulation as enforced by European data protection authorities (see: France Hits Google With $57 Million GDPR Fine).

"The European Union created the General Data Protection Regulation dedicated to data protection - it should be able to handle privacy concerns without being propped up by competition authorities," says Rob Atkinson, president of the ITIF. "Competition authorities do have a role to play in overseeing anticompetitive behavior. But Facebook is not a monopoly in the actual relevant market, the ad market or even in the social networks market."

Facebook has signaled that it plans to follow a similar legal tack as it fights the German antitrust authorities proposed decision. "The Bundeskartellamt underestimates the fierce competition we face in Germany, misinterprets our compliance with GDPR and undermines the mechanisms European law provides for ensuring consistent data protection standards across the EU," say Facebook's Cunnane and Shanbhag.

This story has been updated with comment from Facebook.


About the Author

Mathew J. Schwartz

Mathew J. Schwartz

Executive Editor, DataBreachToday & Europe, ISMG

Schwartz is an award-winning journalist with two decades of experience in magazines, newspapers and electronic media. He has covered the information security and privacy sector throughout his career. Before joining Information Security Media Group in 2014, where he now serves as the executive editor, DataBreachToday and for European news coverage, Schwartz was the information security beat reporter for InformationWeek and a frequent contributor to DarkReading, among other publications. He lives in Scotland.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing healthcareinfosecurity.com, you agree to our use of cookies.